SELWAK: A Secure and Efficient Lightweight and Anonymous Authentication and Key Establishment Scheme for IoT Based Vehicular Ad hoc Networks

In recent decades, Vehicular Ad Hoc Networks (VANET) have emerged as a promising field that provides real-time communication between vehicles for comfortable driving and human safety. However, the Internet of Vehicles (IoV) platform faces some serious problems in the deployment of robust authentication mechanisms in resource-constrained environments and directly affects the efficiency of existing VANET schemes. Moreover, the security of the information becomes a critical issue over an open wireless access medium. In this paper, an efficient and secure lightweight anonymous mutual authentication and key establishment (SELWAK) for IoT-based VANETs is proposed. The proposed scheme requires two types of mutual authentication: V2V and V2R. In addition, SELWAK maintains secret keys for secure communication between Roadside Units (RSUs). The performance evaluation of SELWAK affirms that it is lightweight in terms of computational cost and communication overhead because SELWAK uses a bitwise Exclusive-OR operation and one-way hash functions. The formal and informal security analysis of SELWAK shows that it is robust against man-in-the-middle attacks, replay attacks, stolen verifier attacks, stolen OBU attacks, untraceability, impersonation attacks, and anonymity. Moreover, a formal security analysis is presented using the Real-or-Random (RoR) model.


Introduction
The past decade has witnessed colossal advancements in Information and Communication technologies (ICT) resulting in a number of concepts appearing on technological horizons. In practice, ICT has become an integral part of every field of human life. The concept of "smart and autonomous environment" is the result of emerging ICT models that can benefit human society at large. The Internet of Things enables the autonomous and smart society to connect billions of smart devices to inter-and intra-communication to achieve its goals [1][2][3]. These intelligent sensing and interconnected devices depict a tremendous capacity for replicating the physical environment into corresponding digital environments. IoT-based smart environments can assist society in a broad spectrum, such as e-health care, business, e-commerce, logistics, education, agriculture, defense, and many more.
VANETs are a crucial component of a smart and autonomous environment with an aim to deliver Intelligent Transport System [4] where vehicles communicate with each other,

Threat Model
According to this model, all entities are assumed to communicate with each other through the insecure channel. RSUs are also assumed to be semi-trusted. An attacker can easily delete, modify, or eavesdrop the transmitted message. As RSUs are considered semi-trusted, we considered that the RSU's confidential information is stored in tamper-proof devices within RSUs. However, we considered that OBUs are not installed with tamper-proof devices. Moreover, by using a power analysis attack [22,23], an attacker can extract all the sensitive information from some stolen OBUs of the vehicles. Finally, the TA is considered a fully trusted authority. Moving vehicles with varying accelerations make VANETs different from traditional ad hoc networks, thereby featuring specific network challenges in the case of VANETs. Resource-constrained IoT devices and the wireless nature of communication in VANETs make security a concern of prime focus [6]. Insecure communication may result in the transfer of life-critical information to an adversary. Unauthentic information may lead a passenger to a path of adversary's choice, thus, putting life in danger [7]. Acceptance of a malicious message may cause malfunctioning of the vehicle system. Therefore, security gains prime importance in the case of VANETs, as unwanted situations may cause privacy breaches to one extent and prove to be fatal to the other.
A Secure and Efficient Lightweight Anonymous Mutual Authentication and Key establishment scheme for IoT-based vehicular ad hoc networks (SELWAK) is proposed in this paper. The proposed scheme uses a simple XOR operation and a one-way hash function, making it light in terms of resource usage. Various authentication and key establishment schemes have been discussed in the literature. Moreover, resource-constrained devices do not support traditional cryptographic operations due to low memory and computational power, and therefore demand lightweight cryptographic preemptive. Ensuring the privacy of vehicles is a challenging issue because an adversary can trace the traveling routes of vehicles and identify vehicles that may cause serious danger. To overcome privacy issues, the proposed scheme uses mask identities to ensure anonymity and privacy preservation. In addition to this, an attacker cannot relate driver's multiple mask identities to reveal his/her real identity. The proposed scheme provides better security services in a costeffective manner compared to existing schemes. The SELWAK consists of four phases: (i) Registration, (ii) authentication and key agreement, (iii) RSU-to-RSU key establishment, and (iv) password change.
In the registration phase, vehicles and roadside units register with the TA. The driver of the vehicle chooses various credentials and sends them to the TA in a secure way. Then, the vehicle is deployed on the VANETs. Before deployment of a vehicle in VANETs, TA sends the information to vehicle V i in a secure way, and OBU i stores that information for future use. In the RSU registration phase, the TA generates credentials for every RSU that is deployed in VANETs. The second phase consists of two sub phases, such as (i): V2V authentication key agreement phase and (ii) the V2RSU authentication key agreement phase. In each sub phase, after successful mutual authentication, a session key is established between two entities, and this key is later used for authentication purposes. In the key establishment phase of RSU-to-RSU, a session key is established between those RSU s on the basis of their preloaded credentials. For secure communication, it is necessary that the driver of the vehicle change the password periodically. There is an option available for drivers to change passwords locally without interacting with the TA. Formal security analysis of the SELWAK was done using the Real-or-Random (RoR) model. SELWAK provides better security services and effectively reduces computational cost and communication overhead, as indicated by the derived results. The following are the main contributions of this paper.

•
In this paper, a novel lightweight anonymous authentication and key establishment scheme for VANETs is proposed that uses one-way cryptographic hash functions and simple XOR operations.

•
We ensure the privacy of vehicles so that an adversary cannot trace the real identity and travel routes of vehicles. • SELWAK is secure against replay attacks, impersonation attacks, man-in-the-middle attacks, stolen verifier attacks, stolen OBU attacks, untraceability, and anonymity. • Formal security proof of establishing a secure session key is provided using the RoR model.
The remainder of the paper is organized as follows. Section 2 discusses related work, whereas Section 3 presents systems models. In Section 4, the proposed SELWAK is described, while Section 5 presents the security analysis. In Section 6, we evaluate the performance of the proposed scheme, and Section 7 concludes the paper.

Related Work
Numerous studies exist on authentication, key establishment, and privacy preservation in VANETs. Below, we present a brief discussion of the few existing techniques. Wang et al. [8] proposed an authentication scheme for VANET using a group signature. According to the authors, when vehicles apply for group membership, membership validity is checked to determine whether the vehicle is still a member of the group. Batch verification of vehicles can also be done in the proposed scheme. The authors in [9] proposed a password based novel group key agreement protocol. Their scheme provides batter privacy services in the field of VANET. The proposed scheme uses a hash function for authentication and integrity. According to the authors, their scheme has less computational cost as well as communication overhead as compared to certificate-based public key cryptography and identity-based public key cryptography but is vulnerable to denial-of-service attacks. In a novel secure and efficient anonymous authentication scheme with a privacy preserving scheme (EAAP) [10], RSU s and OBU s use digital signatures to sign each message. The EAAP scheme uses a bilinear-pairing technique to conform to the integrity and authentication of messages. Bilinear pairing has a high computational cost compared to the cryptographic general hash function [11]. A discrete event-based threat-driven authentication scheme has been proposed to ensure secure V2I and V2V communication in [12]. To satisfy the secure communication between V2V and V2R, the proposed approach uses a session key, private key, and public key simultaneously. The authors used the Petri Nets and Veins framework for the formal analysis of their scheme. Zhang et al. [13] proposed an identity-based public key cryptographic (ID-PKC) scheme for privacy-preservation communication. The authors used bilinear pairing and ID-PKC to originate vehicular clouds and secure communication in vehicular clouds. In this scheme, a secure and anonymous dynamic vehicular cloud comes from using pseudonyms. The authors also presented a well-organized protocol that allowed cloud users to join or leave the group dynamically. Two schemes that control traffic lights intelligently using for computing were proposed in [14]. The first scheme's security is based on Computational Diffie-Hellman puzzle hardness, and the second is based on the hash collision puzzle. After a fixed interval of time, the traffic lights generate the puzzle and verify it. For VANETs, a decentralization mutual authentication and key agreement scheme were proposed in [15]. The vehicles communicate in the cluster's fashion and use the hash function and XOR operation. There are three types of authentication taking place: vehicles-to-cluster heads, between cluster heads and cluster heads, and roadside units. This scheme does not deliberate batch verification and privacy preservation of the signatures of multiple messages. Ibrahim et al. [16] proposed two schemes, epidemic-based and topology-based, in which RSU switches its authentication service to the nearest vehicle for the betterment of the authentication service. The topology-based scheme depends upon network analysis and computing node degree, but the scheme based on the epidemic level did not depend on network analysis. The authors have compared both schemes and show that topology-based schemes have better performance but more security threats than epidemic-based schemes. An authentication scheme with privacy preservation property based on identity was proposed in [17]. To reduce communication overhead, a registration list is used instead of the revocation list. The security features of VANET were not affected by malicious vehicles. Moreover, their scheme did not use bilinear pairing operations, which takes more execution time, thus dramatically reducing computation and communication costs. Gope et al. [18] proposed an efficient authentication scheme based on RFID with privacy features. This scheme uses a distributed IoT infrastructure for secure localization servers to facilitate smart city environments. The backend server has a full command to recognize RFID tags without any trouble. However, the problem with this scheme is that the managing server is so powerful that it can know the entire communication of RFID tags. The security of the scheme depends on the backend server. If the backend server has a strong security mechanism, then the attacker cannot get security credentials, but if backend server security is compromised, then the attacker can easily get secret information and execute a forgery attack. Second, the RFID tags did not have any physical security. A signature based on an identity scheme for authentication of V2V communication has been proposed in [19]. This scheme is based on elliptic curve cryptography. The advantage of batch signature verification is that it can authenticate a large number of vehicles at a time. This scheme uses an RoR model for security proof. According to the authors, their scheme reduces the execution time and communication burden compared to other schemes. Cui et al. [20] proposed an authentication scheme that preserves the privacy property in the field of VANET. This scheme uses ECC and identity-based signatures for both V2I and V2V communication. The authors used the binary search method and the cuckoo filter method to improve the success rate of batch signature verification. Xie et al. [21] proposed a robust and secure conditional privacy-preserving scheme using identity-based authentication. The reliability and integrity of the messages are ensured using identity-based signatures for V2V communication and V2I communication. The results of this scheme show that it has a high computational cost and communication overhead. A conditional-based privacy and authentication scheme was proposed in [22]. The prevention from side channel attacks is gained by storing sensitive data on the TPD of OBU and updating it periodically. The formal security analysis of their scheme has been shown using BAN-logic. Their approach is based on a one-way hash function and ECC; therefore, according to the authors, their scheme is efficient in terms of cost compared to existing schemes [23][24][25][26]. To ensure secure communication in VANET, an authentication scheme based on ECC that satisfies privacy preservation was proposed in [27]. In this scheme, the authors combined RSU-and TPDbased schemes to handle privacy and security issues in VANET. All the system's public credentials and keys are preloaded in the TPD of RSU. Their scheme worked in four phases: initialization phase, mutual authentication, signing, and verification phases. Jie et al. [28] presented a chaos mapping-based full session key agreement scheme. This scheme worked in two phases. In the first phase, group key agreement was made between the cluster head and the fog server. In the second phase, a group key agreement is made among vehicle nodes. A secure and robust authentication and privacy scheme has been introduced for vehicular communication [24]. The trusted authority preloads the already computed private key in the vehicle's TPD via a secure medium. Jalawai et al. [27] presented an authentication mechanism using elliptic curve cryptography, which satisfied conditional privacy preservation. They addressed some security and privacy concerns based on the combined usage of TPD-based schemes with RSU-based schemes. The system's key and all the initial public parameters are preloaded in the TPD of RSU. There are some issues with privacy and security, and some attacks are also possible. Vijayakumar et al. [29] proposed an authentication and key distribution scheme for VANET. According to the authors, their scheme is efficient in terms of both computation cost and communication overhead. In addition, the vehicles that come in the orbit of RSU securely distribute the group key among the vehicles. The RSU uses the group key to send the message related to the location among the neighboring vehicles via a secure channel. Vijayakumar et al. [30] proposed a novel batch authentication and key exchange protocol based on 6G technology for VANET. In addition, their scheme reduces the load on the RSU in congested areas. An elliptic curve-based intelligent conditional privacy-preserving technique for VANET has been proposed in [31]. The authors claimed that this scheme is secure, efficient, and can easily deploy. A cuckoo filter-based authentication scheme that improved timed efficient stream loss tolerance for VANETs was proposed in [32]. The authentication information of vehicles that came under the communication range of the RSU can be saved by a cuckoo filter. This scheme provides robust, anonymous authentication and reduces costs. To provide safety in VANET, an efficient anonymous mutual authentication approach with privacy is proposed in [32]. In their scheme, the trusted authority preloaded a group of pseudonym identities and a group of private keys to each vehicle, which may cause problems for managing huge certificates, which will increase the burden for management of certificates for TA due to the limited storage capacity of the vehicle. Ren et al. [33] proposed a blockchain-based, certificateless public key signature scheme for VANET. Their scheme provides support for batch verification of signatures, and blockchains are used to protect the privacy of vehicles. Moreover, this scheme also realized the traceability property. An authentication approach for global mobility networks was proposed in [34]. This scheme is based on an elliptic curve cryptosystem and therefore takes much execution time to perform major cryptographic operations.
The schemes discussed in the literature have some problems. Due to the fast movement of vehicles in VANET, the performance of signature-based schemes is not optimal. OBU has limited storage capacity, computing power, and power. The signing and verification of road safety-related messages slows down due to heavy cryptographic operations. For example, bilinear pairing operations consume more time for message's signing and verification process [30]. Therefore, it is difficult for RSU to verify a large number of vehicles in its range moving with high speed in a short period of time. This puts a heavy burden on the verification vehicle, and behind the current demand for an efficient and lightweight scheme that validates many traffic-related messages on V2V, V2RSU, and RSU2RSU connections in high traffic density areas without compromising safety. On the other hand, a group signature-based scheme requires registration of each vehicle with the TA and receives its private key via a secure channel. These time-consuming operations create hurdles for vehicles to change private keys easily. Therefore, the likelihood of an attack increases.

Motivations
VANETs and vehicles travel at high speeds; therefore, the schemes mentioned in the literature are not optimal for such an environment. The OBU fixed in the vehicle has limited storage capacity, power supply, and computational power. Various major cryptographic operations slow down the signature generation and verification processes of road safetyrelated messages. For example, elliptic curve point multiplication and point addition are considered to be the most time-consuming operations in ECC-based schemes. Therefore, it is difficult to verify vehicles moving at high speeds by the RSU in a short time period in its communication range. It creates a high load on verifying entities, which is the reason it demands a secure and efficient lightweight and anonymous authentication and key establishment scheme for IoT-based vehicular ad hoc networks.

System Model
The network and thread models are presented in this section.

Network Model
The network model for VANET used in the SELWAK is shown in Figure 1. In this model, the entities involved are vehicles (V i ), roadside units (RSU s ), and TA. In the network model, three types of participation involved: V2V, V2RSU and RSU2RSU.The TA is responsible for generating identities, for example, keys, and identities for vehicles and RSU s . The information generated by TA is stored in the memory of RSU s and OBU s , which can be used for authentication purposes. In light of the proposed model, the authentication processes that are required are V2V, V2RSU and RSU2RSU.

Threat Model
According to this model, all entities are assumed to communicate with each other through the insecure channel. RSU s are also assumed to be semi-trusted. An attacker can easily delete, modify, or eavesdrop the transmitted message. As RSU s are considered semi-trusted, we considered that the RSU's confidential information is stored in tamperproof devices within RSU s . However, we considered that OBU s are not installed with tamper-proof devices. Moreover, by using a power analysis attack [22,23], an attacker can extract all the sensitive information from some stolen OBU s of the vehicles. Finally, the TA is considered a fully trusted authority.

Proposed Scheme
In this paper, a novel lightweight and anonymous authentication and key establishment scheme for IoT-based VANETs is proposed. In SELWAK, when a vehicle joins the region of another vehicle, anonymous mutual authentication between the vehicles is performed to avoid communication with malicious vehicles. To perform different types of wireless communications in VANETs, our authentication scheme can be divided into three categories: Vehicle-to-Vehicle, Vehicle-to-Roadside Unit, and Roadside Unit-to-Roadside Unit authentication. The proposed scheme works in four phases: registration phase, authentication, and key agreement phase, RSR-to RSU key establishment phase, and password change phase. Before giving a detailed description of the various phases, we briefly describe each phase in Figure 2. The definitions of the notations in our scheme are described in Table 1.  (4). Authentication request message (5). Authentication reply message (6). Acknowledge message. V2RSU Authentication and Key Establishment Phase (7). Send a request message for Authentication (8). Authentication reply message (9). Acknowledgement message RSU2RSU Key Establishment phase (10). Send a request message for Key establishment (11). Key establishment response message.

Registration Phase
In this phase, the registration of vehicles and roadside units is done in the following ways.

Vehicle Registration Phase
It is necessary to register each vehicle offline with the TA for secure V2V and V2R communication. The vehicle's registration with the TA is a one-time process; hence, for the execution of this process, a secure channel is required, e.g., in person. The steps below are used for this purpose.
Furthermore, for every registered vehicle Vi, a unique secret key is also generated by TA and computes time based credential  (4). Authentication request message (5). Authentication reply message (6). Acknowledge message. V2RSU Authentication and Key Establishment Phase (7). Send a request message for Authentication (8). Authentication reply message (9). Acknowledgement message RSU2RSU Key Establishment phase (10). Send a request message for Key establishment (11). Key establishment response message.

Registration Phase
In this phase, the registration of vehicles and roadside units is done in the following ways.

Vehicle Registration Phase
It is necessary to register each vehicle offline with the TA for secure V2V and V2R communication. The vehicle's registration with the TA is a one-time process; hence, for the execution of this process, a secure channel is required, e.g., in person. The steps below are used for this purpose.

1.
The driver Drv i of vehicle V i , on his own choice, chooses a password PWD i and unique identity Drv id and two 160-bit random numbers s i and k. OBU i computes a masked password After receiving the registration request (drv id , . Furthermore, for every registered vehicle V i , a unique secret key SeKV i is also generated by TA and computes time based credential TV i = h(SeKV i ||RT vi || drv id ) on the basis of timestamp generated duringregistration time RT v of V i and identity drv id of driver. Then, TA transmit (Mdrv id , TV i , TA id , E 1 , E 2 , A 1 , A 2 ) to through a secure channel.

3.
After receiving information (Mdrv id , OBU i then deletes k, Mdrv id , TV i , TA id , E 1 , A 1 and A 2 from its memory. Finally, OBU i contains Mdrv id , TV i , TA id , f i , Y, E 1 , E 4 , h(·)}. The pictorial representation of algorithm is given in Figure 3.
OBUi then deletes k, , , TAid, E1, A1 and A2 from its memory. Finally, OBUi The pictorial representation of algorithm is given in Figure 3.

Roadside Unit Registration Phase
Trusted authority generates 160-bit secret keys α and β, before deployment of RSU s in VANETs. Then trusted authority generates unique identities of RSU s like RSU id1 , RSU id2 . . . RSU idn and corresponding masked identities γ i , γ j . . . γ n that are generated as γ = h (RSU idk ||β). The TA further generates identities for RSU j as r = h(TA id || β) . In addition, TA generates time-based identities for each RSU j as TRSU j = h TA id RTRSU j β . The RSU j then give the information r, γ, TRSU j . In our scheme γ is used for Vehicle V i to RSU j authentication and TRSU j is used for symmetric key establishment between RSU s . The polynomial-based key distribution for RSU2RSU key establishment. To do this, TA first selects bivariate polynomial th(x, y) = th(x, y) = ∑ n l 0 ∑ n m=0 s l , m x l y m ∈ GF(th)[x, y] over a finite field degree n. For each RSU j TA computer polynomial share th TRSU j , y . The RSU j is also loaded with th TRSU j , y in its memory.

Authentication and Key Establishment Phase
Initially, Drv i inputs a password PWD * i and identity drv id to OBU i . The OBU i calculates s . Inputting correct credentials: password and identity by authorized users. Each vehicle also computes the same r and r'. OBU i checks the condition if E * 4 = E 4 . If conditions hold, it implies that drv i is authentic users. If the condition is not satisfied, then the phase is terminated. In addition, OBU i also computes TV i = TV i ⊕ MPDW * i .

V-To-V Authentication and Key Establishment Phase
In V2V authentication, two neighboring vehicles perform the following steps: 1.
"After receiving {L 1 , L 2 , T 1 }, OBU j validates the timeliness of T 1 by checking condition |T1 − T1 * | ≤ ∆T, where T1 * is the time when the message is received and ∆T is the maximum transmission delay. If the condition holds, OBU j calculates the timedependent secret key KSr 1 = h(r ||T1) on the basis of T 1 and previously computed r. It then computes J 1 = KSr 1 ⊕ L 1 = h (N OBUi || Mdrv id || TV i ||T 1 . To proceed, it then calculates L 3 = h (J 1 ||TA * id ||T 1 . The OBU i further checks the condition L 3 = L 3 , if condition holds then V j authenticate V i and reject otherwise.

5.
On the reception of {L 7 , T 3 }, OBU j checks the correctness of T 3 by checking condition |T3 − T3 * | ≤ ∆T, where T3 * is reaching time. Then, it computes L 8 = h(S kvv ||T 3 ) and checks whether L 8 = L 7 . If the condition is satisfied, the session key computed by OBU i is correct, and it guarantees that both V i and the session key are established by V j in this way S kvv (= S kvv ) to start mutual communication. The pictorial representation of algorithm is given in Figure 4.

V-to-RSU Authentication and Key Establishment Phase
In this phase, vehicle and neighbor roadside unit RSUj perform the following steps for authentication and key establishment: 1. An OBUi chooses a timestamp T1 and random nonce and calculates the time-dependent key ′ = h( ′ ||T1) on the basis of previously calculated r. It further computes 1 = h( || || || 1 ), 1 =  Figure 5.

V-to-RSU Authentication and Key Establishment Phase
In this phase, vehicle V i and neighbor roadside unit RSU j perform the following steps for authentication and key establishment: 1.
An OBU i chooses a timestamp T 1 and random nonce NV i and calculates the timedependent key SK r = h(r ||T1) on the basis of previously calculated r. It further computes J 1 = h(NV i || Mdrv id ||TV i ||T 1 ), L 1 = SK r1 ⊕ J 1 and L 2 = h(J 1 ||TA * id ||T 1 ) and sends {L 1 , L 2 , T 1 } as an authentication message to its nearby RSU j through a public channel.

2.
After receiving {L 1 , L 2 , T 1 } RSU j validate T 1 . If it validates the timestamp, then RSU j calculates the time-dependent key SK r1 = h(r ||T 1 ) on the basis of T 1 . It then computes J 1 = SK r ⊕ L 1 = h(NV i || Mdrv id ||TV i ||T 1 ) and L 3 = h(J 1 || TA * id ||T 1 . If L 3 = L 2 holds the RSU j authenticate V i and reject otherwise.

3.
The RSU j then chooses the current timestamp T 2 and random nonce N RSU to calculate another time-dependent key KS r = h(r ||T 2 ),J 2 = h(N RSUj || γ ||T 1 ||T 2 ) and L 4 = KS r ⊕ J 2 . It further calculates the session key S kVR = h(h( r ||T 1 ||T 2 ) || J 1 || J 2 || TA * id and L 5 = h(S kVR ||T 2 ), and sends message {L 4 , L 5 , T 2 } to V i through an open channel. The pictorial representation of algorithm is given in Figure 5.

Key Establishment Phase between RSUs
Two neighbor Roadside Units, namely RSUu and RSUv established pairwise key using the following steps.

Key Establishment Phase between RSU s
Two neighbor Roadside Units, namely RSU u and RSU v established pairwise key using the following steps.

1.
The random nonce N RSU u is generated by RSU u and sends {TRSU u , N RSU u } to RSU v .

2.
Upon receiving "{TRSU u , N RSU u }, RSU u calculates symmetric key shared with RSU u as S kRR = th (TRSU v , TRSU u ) by pre-loaded polynomial share þ (TRS v , y) and S KV = h (S kRR ||N RSU u ). The RSU v then sends the message {TRSU u , S KV } to RSU u .

3.
Finally, on reception of {TRSU u , S KV }, RSU u calculate the symmetric key and share with RSU u as S kRR = th (TRSU u , TRSU v ) (= S kRR ) by pre-loaded polynomial share þ (TRSU u , y) and S KV = h(S kRR || N RSU u on the basis of its own already generated random nonce N RSU u . In addition to this, RSU u proves if S KV = S KV . If the condition is satisfied, it showed that both RSU u and RSU v used valid symmetric keys for their onward communication.

5.
Upon receiving a message {L 7 , T 3 }, RSU j Validates T 3 . If it is valid, then RSU j calculates L 8 = h(S kVR ||T 3 ) and checks whether L 8 = L 7 . If the condition is satisfied, then the session key computed by OBU i is correct.

Password Update Phase
In SELWAK, after the registration phase, the Vehicle's OBU i can update password without using a verification table. The legal user changes the password periodically to improve the security of the system. The following steps are used:

1.
Drv i provides provides an identity drv id and an old password PWD old i . The OBU i then computes If the condition is not satisfied, the password updating process is stopped. Else, Drv i is a authentic user and allowed the OBU i to update the password.

2.
The driver Drv i is requested to give a new password PWD new i . Then, it computes after the password update. The pictorial representation of algorithm is given in Figure 6.  3 )and checks whetherL8= L7. If the condition is satisfied, then the session key computed by OBUi is correct.

Password Update Phase
In SELWAK, after the registration phase, the Vehicle's can update password without using a verification table. The legal user changes the password periodically to improve the security of the system. The following steps are used: 1. Drvi provides an identity drvid and an old password . The then computes * = ⊕h( || ), 1 If the condition is not satisfied, the password updating process is stopped. Else, is a authentic user and allowed the OBUi to update the password. 2. The driver Drvi is requested to give a new password . Then, it computes Finally, OBUi replaces ′ , ′ , , A, ′ and 4 with * * , * * , , * , * * and 4 in its memory. Therefore, OBUi contains the message { M * * , * * , ′ , , * , * * , 1 ′ , 4 , h(·)} after the password update. The pictorial representation of algorithm is given in Figure 6.

Security Analysis
The RoR model [21] was used for the formal security analysis of SELWAK. We also show that our scheme is secure against well-known attacks.

Formal Security Analysis
Formal security analysis of SELWAK is presented using the Real-or-Random (RoR) model. The security of the session key is shown using the RoR model for the proposed

Security Analysis
The RoR model [21] was used for the formal security analysis of SELWAK. We also show that our scheme is secure against well-known attacks.

Formal Security Analysis
Formal security analysis of SELWAK is presented using the Real-or-Random (RoR) model. The security of the session key is shown using the RoR model for the proposed scheme. There are two main participants in our scheme: Vehicle V i and Roadside Unit RSU j . The RoR [35] has the following components.

Participants
Let e t vi and e u RSUj be the instance t and u of the V i and RSU j , and called as oracles.

Accepted State
The e t is an instance that is called an accepted state. Upon reception of the last message, it changes into an accepted state. The e t concatenate the entire sent and received messages in proper order and for the current session form a session identification of e t .

Partnering
Two of the instances e t1 and e t2 are called the partners of each other if they fulfill the following conditions.

•
Both of e t1 and e t2 are in valid accepted states.

•
Both of e t1 and e t2 mutual authenticate and share identical session identification.

•
Both of e t1 and e t2 are mutual partners [36].

Freshness
If attacker A cannot apply the key generated for a particular session of two nodes on the bases reveal query then e t vi and e u RSUj are called fresh.

Adversary
Adversary A has full control over the communication between the partners and has the ability to alter the message. Adversary has the following access to queries: • EX (e t vi , e u RSUj ): An adversary executes this query to obtain a message that is exchanged between two original partners. This is called an eavesdropping attack. • RL (e t ): An adversary using this query gets the current session key generated by e t . • SN (e t , message): By executing this query, an adversary sends a message to the participant and receives the message. This is called an active attack. • OBU (e t vi ): An adversary executes this query to extract stored information in OBU. This is called a stolen attack.

•
Test (e t ):It models the semantic security ofa session key. After starting the experiment, coin c is flipped, and only the adversary can know the output. This is helpful for determining the output of a test query.

Session Key's Semantic Security
The main task of an attacker is to differentiate the real session key from the random session key of an instance in the RoR model. An adversary has several test queries to either e t vi and e u RSUj . The random bit c and the output of the test query should be consistent. When an experiment is over, an adversary outputs a guessed bit c and wins the game if c = c. Suppose Win is an event in which an adversary can win a game. The advantage of Adversary is that it breaks the semantic security of the proposed authentic key exchange schemes. Authentic key exchange is defined by ad AKE TA = |2pr[Win] − 1|. TA is secure if ad AKE TA ≤ θ for a sufficient smart real number θ > 0.

Random Oracle
All the participants, including the adversary, will have to access a one-way hash function, which is called the random oracle model [36].The security proof of Theorem 1 presented in [20] is the same. The breaking of the semantic security of the session key for V2V and V2R is proved in Theorem 1 [37]. Theorem 1. In the RoR model, intruder A runs in polynomial time t against the SELWAK. Let Q h , |Hash|, Dec, |Dec| and Q SN be a number of the H queries, the range space of h(·), distributed password dictionary, size of dictionary, and number of sent queries. An adversary's advantage ad AKE TA break the semantic security of the session key between OBU and RSU in the proposed scheme is defined as Proof. As in the Chang and Le scheme [36], here the sequences of the four games says G i = (0,1,2,3). Win i is an event where an adversary can successfully guess a bit c in game G i . Below is a detailed description of these games.

Game G 0 :
In the random oracle model, it is considered a real attack of the adversary on the proposed scheme. An adversary first guess bit c at the start of the game. By definition, we have Game G 1 : In this game, an eavesdropping attack of an adversary is simulated by executing an EX (e t vi , e u RSUj ) query. At the end of the game, the adversary makes a test query. An adversary will have to know whether the test query's output is the real session key of the vehicle and RSU or a random number. We get Game G 2 : In this game, an active attack on an adversary is simulated. An adversary tries to cheat the participants to receive the altered message. To verify the collision in the hash output, an adversary is allowed to query several oracles. When the birthday paradox is applied, we have |Prb[ Game G 3 : In this game, the Corrupt OBU query is simulated. An adversary extracts the information stored in OBU i . It is difficult to calculate the correct password. If the system only allows a specific password as an input, we can get An adversary can simulate all the games except that an adversary needs to guess c to win the game after the test query to oracle; we get Prb[Win 3 ] = 1/2 from Equation (1) Finally, from Equations (6) and (7). we get ad AKE TA ≤ Q 2 h /|Hash| + 2.Q SN |Dec| .

Informal Security Analysis
In this section, the proposed scheme's resilience against some well-known attacks is discussed, and the security features of the proposed scheme are also compared with existing schemes.

1.
Replay Attack: In the V2V and V2RSU authentication processes, the corresponding messages MSG 1 = (L 1 , L 2 , T 1 ) and MSG 2 = (L 7 , T 3 ) have timestamps T 1 and T 3 . If an attacker wants to reply to the message with delay, then the timestamp attached to the message will fail. Therefore, our scheme is robust against reply attacks.

2.
Impersonation Attack: During the V2V authentication an attacker can impersonate the vehicle; to do so, an attacker must create an authentic message MSG 1 = (L 1 , L 2 , T 1 ). For creating MSG 1 an attacker requires secret r. An attacker cannot calculate message MSG 1 even if he/she generates his/her own timestamp and random none as secret r, Mdrv id , TV i and TA id .

3.
Man-in-the-middle Attack: In the proposed scheme, two messages, namely MSG 1 = (L 1 , L 2 , T 1 ) and MSG 2 = (L 7 , T 3 ) are required for V2V authentication. If an attacker wants to modify the message, then he/she first generates a current timestamp and random nonce. An attacker cannot calculate KS r1A = h(r||T 1A as he/she did not have a secret key. Thus, an attacker cannot modify messages.

4.
Stolen Verifier Attack: The information (Mdrv id , Mdrv id , is stored in OBU i of the vehicle. We assume that an attacker can steal stored information from OBU i . However, the one-way hash function protects the secrets PWD i , r, r', TA id , drv id . An attacker cannot guess the secrets PWD i , r, r , TA id , drv id correctly due to the collision resistance property of a one-way hash function.

5.
Stolen OBU Attack: Suppose that an attacker has stolen the OBU i of the vehicle. An attacker can extract the stored information (Mdrv id , Mdrv id , TV i , TA id , f i , Y, E 1 , E 4 , h(·)) from OBU i . It is difficult for an attacker to drive drv id from Mdrv id without having the secret α.

6.
Untraceability: In the V2V and V2RSU authentication phases of the proposed scheme, two messages are followed: MSG 1 = (L 1 , L 2 , T 1 ) and MSG 2 = (L 7 , T 3 ). All messages are distinct in each session, and the attacker cannot trace the RSU or vehicle. 7.
Anonymity: In the proposed scheme, the messages for V2V and V2RSU authentication do not involve the identities of the RSU and the user. Therefore, it is infeasible for an attacker to drive the real identities of the RSU and the user. Hence, the proposed scheme satisfies the anonymity property. 8.
Insider Attack: SELWAk is robust against insider attacks. The neighboring vehicles cannot get unauthorized access to the sensitive information of a particular vehicle by stealing its credentials.

Performance Analysis
In this section, the performance of the proposed scheme and the existing schemes are analyzed. The proposed scheme is implemented with the following specifications: 2.66 GHz Intel(R) Core TM 2 Quad processor with 4 GB of memory using Windows 10. We compared SELWAK with some existing schemes based on computational costs, as well as communication costs. The performance result shows that our scheme is efficient in terms of computational cost and communication overhead compared to existing schemes.

Computation Overhead
The notations T pm -ECC, T pa -ECC, and T h used in Table 2 represent Elliptic Curve Cryptographic points multiplication, Elliptic Curve Cryptographic points addition, and one-way hash function, respectively. As bitwise XOR operations take negligible time, we have not considered them for performance evaluation.
We have considered the values 0.6718 ms, 0.0031 ms, and 0.001 ms for various cryptographic operations like T pm -ECC, T pa -ECC, and T h from existing experimental values [5,19,27]. The computational costs of SELWAK and some existing schemes are compared in Table 2. The schemes to which we compare our work include those of Zhong et al. [17], Ali et al. [19], Cui et al. [20], Xie et al. [21], Li et al. [24], Al-shareeda et al. [27], and Jalawai et al. [32]. An authentication scheme with privacy preservation property based on identity was proposed in [17]. To reduce communication overhead, a registration list is used instead of a revocation list. The security features of VANET were not affected by malicious vehicles. Moreover, their scheme did not use bilinear pairing operations, which takes more execution time. An elliptic curve cryptography-based and identity-based signature with a conditional privacy-preserving authentication scheme and general one-way hash functions for V2V communication is proposed in [19]. Cui et al. [20] presented a secure authentication approach with privacy properties for VANET. This scheme uses ECC and identity-based signatures for both V2I and V2V communication. The authors used the binary search method and the cuckoo filter method to improve the success rate of batch signature verification. Xieet al. [21] proposed a robust and secure conditional privacy-preserving scheme using identity-based authentication. The reliability and integrity of the messages are ensured using identity-based signatures for V2V and V2I communication. Performance analysis shows that this scheme has a high computational cost and communication overhead. To ensure secure communication in VANET, an authentication scheme based on ECC that satisfies privacy preservation is proposed in [27]. An efficient, provably-secure and anonymous conditional privacy-preserving authentication scheme for vehicular ad hoc networks has been proposed in [32]. Similarly, an authentication approach for global mobility networks was proposed in [38]. This scheme is based on an elliptic curve crypto system and therefore takes much execution time to perform major cryptographic operations.
As shown in Figure 7, the execution time taken by our proposed scheme is much less than that of the other four schemes. The proposed scheme is also efficient, even in the worst case, compared to other schemes.
As shown in Figure 7, the execution time taken by our proposed scheme is much less than that of the other four schemes. The proposed scheme is also efficient, even in the worst case, compared to other schemes.  In Figure 8, we show total extra bits sent with the original message during vehicle communication for various schemes. [24] 1024 bits [27] 832bits [38] 2176 bits SELWAK 544 bits In Figure 8, we show total extra bits sent with the original message during vehicle communication for various schemes.

Conclusions
We proposed a novel SELWAK scheme for VANETs. Our scheme is efficient in terms of computational cost and communication overhead due to the one-way hash function and bitwise XOR operations. The SELWAK has extra features, such as mutual authentication and Vehicles and roadside unit anonymity properties. The proposed scheme is robust against driver impersonation attacks, OBU impersonation attacks, OBU capture attacks, RSU impersonation attacks, anonymity, and untraceability, perfect forward and backward secrecy, eavesdropping attacks, and insider attacks. The formal

Conclusions
We proposed a novel SELWAK scheme for VANETs. Our scheme is efficient in terms of computational cost and communication overhead due to the one-way hash function and bitwise XOR operations. The SELWAK has extra features, such as mutual authentication and Vehicles and roadside unit anonymity properties. The proposed scheme is robust against driver impersonation attacks, OBU impersonation attacks, OBU capture attacks, RSU impersonation attacks, anonymity, and untraceability, perfect forward and backward secrecy, eavesdropping attacks, and insider attacks. The formal analysis of the proposed scheme was conducted using the RoR model. Therefore, the proposed scheme works efficiently for intelligent transportation systems.
In future work, anonymous mutual authentication will be carried out using BAN Logic and some simulation platforms, such as NS2, SUMO, and OMNET++, to simulate VANETs.

Conflicts of Interest:
The authors declare no conflict of interest.